Server, system and method for managing identity

ABSTRACT

Disclosed herein is a system and method for managing identity. The system includes a mobile terminal, a web server, and a service terminal. The mobile terminal includes a smart card on which a management server for managing user identity is mounted. The web server generates the user identity and provides the generated identity to the management server over a wired/wireless network. The service terminal receives a required identity from the mobile terminal using Near Field Communication (NFC).

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority under 35 U.S.C. §119 to Korean PatentApplication No. 10-2009-0113521, filed on Nov. 23, 2009, in the KoreanIntellectual Property Office, the disclosure of which is incorporatedherein by reference in its entirety.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to a server, system and methodfor managing identity, and, more particularly, to a method of managingand using a user's own identity using a smart card included in a mobileterminal.

2. Description of the Related Art

A smart card is a safe and efficient device for verifying personalidentity, and is widely used in various fields, such as communicationsusing a Universal Integrated Circuit Card (UICC), a travel service usingan electronic passport, and financial transactions using a credit card.Technologies related to a smart card include technologies for providinga hardware operation module capable of rapidly performing securityoperations, technologies for storing multimedia data of severalGigabytes, and technologies for directly processing Hypertext TransportProtocol (HTTP) messages within the smart card.

User identity may be defined as user-related information such aspersonal website authentication information (e.g., an ID and apassword), personal information, information about a service or aninstitution to which a user belongs, financial transaction information,or personal preference. Related technologies for managing such digitalidentities include Windows CardSpace and OpenID.

In the field of smart card technology, technologies to which digitalidentity is applied are partially used in limited range (e.g., a paymentcard, communication subscriber information and passport information) orlimited service domains (e.g., a financial domain and a communicationdomain). For an example, the digital identity technology is at the levelwhere a financial institution in cooperation with a telecommunicationcompany stores information about the payment card of a mobile phoneowner in the UICC (USIM) of the mobile phone using Over The Air (OTA)technology, and the user makes payments at member stores in cooperationwith the telecommunication company. For another example, telecommuterswho work for a specific organization use smart cards to prove theiridentities and use services to and at web servers provided in thecorresponding organization.

If it is sought to use more various identities in various servicedomains than in the above examples, the following technical problemsmust be overcome.

First, service providers in various fields need to safely andconveniently store identities, managed by the service providers, in thesmart cards of users. Second, various types of user identities in smartcards should be managed in an integrated manner, and users need todirectly search for or control (e.g., delete or use) the managedidentities. Third, when an identity must be provided in response torequest from a specific service provider, a user should be able to checkor select the provided identity and the provided identity should not beexposed or modified to or by a service provider other than the specificservice provider.

SUMMARY OF THE INVENTION

Accordingly, the present invention has been made keeping in mind theabove problems occurring in the prior art, and an object of the presentinvention is to enable service providers in various fields to storevarious identities in smart cards over a network.

Another object of the present invention is to enable various identitiesto be conveniently managed and used in smart cards using a uniqueclassification system.

Still another object of the present invention is to enable a useridentity to be provided to a service terminal or a web server after theuser's approval or selection.

In order to accomplish the above objects, the present invention providesa mobile terminal including a smart card on which a management server ismounted; a web server for generating the user identity and providing thegenerated identity to the management server over a wired/wirelessnetwork; and a service terminal for receiving a required identity fromthe mobile terminal using Near Field Communication (NFC).

Additionally, in order to accomplish the above objects, the presentinvention provides a website interfacing unit for receiving useridentities from a web server over a wired/wireless network; an identitymanagement unit for classifying the received identities on an attributebasis; a service terminal interfacing unit for receiving an identityrequest signal from a service terminal; and a response generation unitfor analyzing the identity request signal, and generating a responsemessage in response to the identity request signal.

Additionally, in order to accomplish the above objects, the presentinvention provides a method in which a mobile terminal of a user,including a smart card, manages user identity using a server of aservice provider which operates a website, the method includingrequesting the setting of authentication information from the server ofthe service provider and receiving information about the website fromthe server of the service provider; setting a secret key along with theserver of the service provider; requesting the server of the serviceprovider to issue a service domain certificate; receiving the servicedomain certificate, comprising the user identity issued using the secretkey, from the server of the service provider; and storing theinformation of the website and the service domain certificate in thesmart card.

Additionally, in order to accomplish the above objects, the presentinvention provides a method in which a service terminal receives a useridentity from a mobile terminal of the user on which a management serverfor managing the user identity is mounted, the method including sendingan identity request signal, including an identity identification code,to the mobile terminal through NFC; and receiving an identity, processedby the mobile terminal based on the identity identification code, fromthe mobile terminal.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects, features and advantages of the presentinvention will be more clearly understood from the following detaileddescription taken in conjunction with the accompanying drawings, inwhich:

FIG. 1 is a schematic block diagram of an identity management systemaccording to the present invention;

FIG. 2 is a schematic block diagram of the management server shown inFIG. 1;

FIG. 3 is a schematic block diagram of the website module shown in FIG.1;

FIG. 4 is a schematic block diagram of the service terminal module shownin FIG. 1;

FIG. 5 is a schematic block diagram of the gateway shown in FIG. 1;

FIG. 6 is a schematic block diagram of the proxy server shown in FIG. 1;

FIG. 7 shows an embodiment of a method of managing an identity accordingto the present invention, and is a diagram showing a procedure in whicha web server registers a user identity with the management server;

FIG. 8 shows an embodiment of the method of managing an identityaccording to the present invention, and is a diagram showing a procedurein which the web server and the management server perform mutualauthentication;

FIG. 9 shows an embodiment of the method of managing an identityaccording to the present invention, and is a diagram showing a procedurein which the management server provides a user identity to the webserver;

FIG. 10 shows an embodiment of the method of managing an identityaccording to the present invention, and is a diagram showing a procedureof providing a user identity from the management server to a serviceterminal;

FIG. 11 shows an embodiment of the method of managing an identityaccording to the present invention, and is a diagram showing a procedurein which the web server is further included in the procedure of FIG. 10;

FIG. 12 illustrates the concept of a service domain certificate used inthe present invention; and

FIG. 13 illustrates the concept of an envelope used in the presentinvention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The advantages and characteristics of the invention and methods foraccomplishing them will become more apparent from the followingembodiments which will be described in detail in conjunction with theaccompanying drawings. However, the present invention is not limited tothe following embodiments, but may be implemented in a variety ofmanners. These embodiments are provided to complete the disclosure ofthe present invention and to help those having ordinary skill in the artto understand the scope of the present invention. The present inventionis defined only by the claims. Meanwhile, the terms used in thespecification are provided to describe the embodiments, but are notintended to limit the present invention. In the specification, asingular form, unless specially mentioned otherwise, can include aplural form. The terms ‘include(s) or comprise(s)’ and ‘including orcomprising’ used in the specification are not intended to exclude theexistence or addition of one or more other components, steps,operations, and/or elements from a mentioned component, step, operation,and/or element.

FIG. 1 is a schematic block diagram of an identity management system(hereinafter referred to as the ‘system’) using a smart card accordingto the present invention. The system according to the present invention,as shown in FIG. 1, includes a mobile terminal 10, a web server 20, aservice terminal 30, and a management institution 40.

The mobile terminal 10 includes a smart card 11, a browser 12, a gateway13, and a Near Field Communication (NFC) module 14. A Personal IdentityManagement Server (PIMS) 110 for managing a user identity is mounted onthe smart card 11. The browser 12 is means for allowing a user to accessthe management server 110 or a website operating in conjunction with theweb server 20. The gateway 13 is means for enabling the browser 12 toaccess the management server 110. Although in FIG. 1, the browser 12 isillustrated as the means for enabling a user to access the managementserver 110 or a website, the present invention is not limited theretobecause some other type of terminal may be used.

The web server 20 includes a website module 120 which generates a useridentity and transfers the generated identity to the management server110 over a wired/wireless network. The website module 120 may receive auser identity from the management server 110 and check the receivedidentity. The web server 20 may be operated by a service provider whichprovides a user with a service, such as a financial service or a medicalservice. The service provider operates a website in conjunction with theweb server 20.

The service terminal 30 includes a service terminal module 130 whichrequests required identity from the management server 110 using NFC,such as Near Field Communication (NFC), and receives the requestedidentity from the management server 110. The service terminal 30 may beoperated by a member store which provides products or services. Theidentity required by the service terminal 30 may vary depending onproducts or services provided by the member store. For example, if themember store provides a home-delivery service, the required identity maybe a user's home address or telephone number.

The management institution 40 provides remote service to a user suchthat, for example, when the user loses his mobile terminal 10, the usercan use his identity through a second mobile terminal, not the mobileterminal 10. In order to provide such remote service, the managementinstitution 40 includes a proxy server 140.

Each of the elements of FIG. 1 will be described in more detail belowwith reference to FIGS. 2 to 6.

FIG. 2 is a schematic block diagram of the management server 110included in the mobile terminal 10. The management server 110 includes awebsite interfacing unit 210, a service terminal interfacing unit 220, awebsite authentication unit 230, a user interface unit 240, a responsegeneration unit 250, a dictionary management unit 260, and an identitymanagement unit 270.

The website interfacing unit 210 enables a user to exchange protocolmessages with the web server 20 via the browser 12 of the mobileterminal 10. The protocol messages exchanged between the web server 20and the mobile terminal 10 may be a request for identity and atransmission in response to the request. For example, the mobileterminal 10 may request the user identity, generated by the web server20, from the web server 20. In response to the request from the mobileterminal 10, the web server 20 may generate the identity for the userand send it to the mobile terminal 10. Alternatively, the web server 20may request the user identity from the mobile terminal 10. In this case,the user identity requested by the web server 20 may be an identitywhich is directly input by the user.

The service terminal interfacing unit 220 enables the mobile terminal 10to exchange protocol messages with the service terminal 30. The exchangeof the protocol messages between the mobile terminal 10 and the serviceterminal 30 may be performed through the NFC module 14. The protocolmessage exchanged between the mobile terminal 10 and the serviceterminal 30 may be a request for an identity and a transmission inresponse to the request. For example, the service terminal 30 mayrequest a required identity from the mobile terminal 10, and the mobileterminal 10 may send the requested identity to the service terminal 30.

The website authentication unit 230 includes a routine for performingkey setting along with the web server 20 and a routine for performingmutual authentication after key setting. The website authentication unit230 performs mutual authentication with the web server 20. Mutualauthentication will be described with reference to FIG. 8.

When a user desires to generate or check an identity, the user interfaceunit 240 provides the user with interfacing relevant to the generation,checking or both of the identity. An identity may not only be providedby the web server 20, but an identity may be also separately receivedfrom a user through the user interface unit 240.

The response generation unit 250 analyzes a protocol message (i.e., anidentity request signal) received from the service terminal 30,generates a response message in response to the identity request signal,and sends the generated response message to the service terminalinterfacing unit 220. The response generation unit 250 includes aprotocol processing unit 252 and an envelope generation unit 254. Theprotocol processing unit 252 analyzes a protocol message received fromthe service terminal 30. The envelope generation unit 254 generates anenvelope, which is a format for transmitting an identity. The envelopeincludes the identity requested by the service terminal 30. The envelopewill be described later with reference to FIG. 13.

The dictionary management unit 260 defines an identification code and ameaning for a user identity on an attribute basis, and manages a servicedomain dictionary. The identity management unit 270 has a function ofstoring, searching for, and deleting a user identity generated by theweb server 20 or a user. The dictionary management unit 260 and theidentity management unit 270 operate in conjunction with each other sothat when an identity request signal is received from the serviceterminal 30 or the web server 20, the dictionary management unit 260 andthe identity management unit 270 can easily search for the correspondingidentity.

FIG. 3 is a schematic block diagram of the website module 120 includedin the web server 20. The website module 120 includes a mobile terminalinterfacing unit 310, a user authentication unit 320, a certificateissue unit 330, and an envelope checking unit 340.

The mobile terminal interfacing unit 310 exchanges protocol messageswith the management server 110 through the browser 12 of the mobileterminal 10. The protocol messages exchanged between the web server 20,including the mobile terminal interfacing unit 310, and the mobileterminal 10 are as described above in conjunction with the websiteinterfacing unit 210.

The user authentication unit 320 includes the routine for performing keysetting along with the management server 110 and the routine forperforming mutual authentication after key setting. The userauthentication unit 320 performs mutual authentication along with thewebsite authentication unit 230 of the mobile terminal 10.

The certificate issue unit 330 issues a service domain certificate,including the user identity generated by the web server 20 and websiteguarantee information about the identity. For example, the user identitywhich is provided by the web server 20 to the mobile terminal 10 may besent in the form of a service domain certificate. The service domaincertificate will be described in more detail later with reference toFIG. 12.

The envelope checking unit 340 checks an envelope, including a useridentity received from the user or the service terminal 30, and acquiresand/or confirms the user identity included in the envelope.

FIG. 4 is a schematic block diagram of the service terminal module 130included in the service terminal 30. The service terminal module 130includes a management server interfacing unit 410, a certificatechecking unit 420, a website interfacing unit 430, and an identityprocessing unit 440.

The management server interfacing unit 410 exchanges protocol messageswith the management server 110 of the mobile terminal 10 using NFC. Theservice terminal 30 requests a required identity through the managementserver interfacing unit 410. In response to the request for theidentity, the management server 110 sends the corresponding identity tothe service terminal 30. The identity sent to the service terminal 30 inresponse to the request may be in the form of a service domaincertificate.

The certificate checking unit 420 checks the service domain certificatereceived from the management server 110, and acquires a user identityfrom the corresponding certificate.

In another embodiment of the present invention, the service terminal 30may receive the service domain certificate, including the identity, viathe web server 20, in addition to the case in which the service terminal30 directly receives the service domain certificate from the managementserver 110. In this case, the management server 110 sends an envelope,including a requested identity, to the service terminal 30. The websiteinterfacing unit 430 receives the envelope from the management server110, and sends it to the web server 20. The web server 20 extracts theidentity, requested by the service terminal 30, from the envelope, andprovides the extracted identity to the service terminal 30.

The identity processing unit 440 manages the identification code of anidentity required by the service terminal 30. When the service terminal30 requests the required identity from the management server 110, anidentification code corresponding to the identity is included in theidentity request signal.

FIG. 5 is a schematic block diagram of the gateway 13 included in themobile terminal 10. The gateway 130 includes an HTTP request processingunit 510, a proxy server interfacing unit 520, and a remote userauthentication unit 530.

The HTTP request processing unit 510 opens a TCP port accessible to thebrowser 12 of the mobile terminal 10, and sends an HTTP message, sent bythe browser 12, to the management server 110 through a smart cardterminal interface. Furthermore, the HTTP request processing unit 510returns a HTTP response message, sent by the management server 110, tothe browser 12. For example, an address that the browser 12 of themobile terminal 10 uses to access the HTTP request processing unit 510may be, for example, http://127.0.0.1:1234/pims. The HTTP requestprocessing unit 510 opens the TCP port 1234, and waits for the receptionof a message.

The proxy server interfacing unit 520 exchanges messages with the proxyserver 140. The remote user authentication unit 530 authenticates a userwhen the user attempts to access the remote user authentication unit 530using a second terminal which is other than the mobile terminal 10including the management server 110.

FIG. 6 is a schematic block diagram of the proxy server 140 included inthe management institution 40. The proxy server 140 includes an accessaddress management unit 610 and a gateway interfacing unit 620.

The access address management unit 610 manages a URL for access to themanagement server 110 when a user attempts to use an identity stored inthe management server 110 through a second terminal. The URL for accessto the management server 110 may be, for example,“http://www.proxy.com/01012341234.” Here, “http://www.proxy.com”corresponds to the address of a proxy server, and ‘01012341234’ isinformation that the proxy server 140 uses to identify the mobileterminal 10 including the management server 110. The access addressmanagement unit 610 searches for information about the user's mobileterminal corresponding to the information ‘01012341234’.

The gateway interfacing unit 620 sends an identity request signal to thegateway 13 of the mobile terminal 10 identified by the access addressmanagement unit 610. For example, the gateway interfacing unit 620 maysend an HTTP message, received in the form of a URL, to the gateway 13of the mobile terminal 10. Furthermore, the gateway interfacing unit 620receives an HTTP response message (i.e., a response message) from thegateway 13 of the mobile terminal 10, and sends it to a second terminal.

FIG. 7 shows an embodiment of a method of using the identity managementsystem according to the present invention, and is a diagram showing aprocedure in which the web server registers a user identity with a smartcard. In the embodiment of the present invention, the web server 20 maybe operated by a service provider which provides a specific servicewhile operating a website, as described above. In this case, the webserver 20 corresponds to the server of the service provider. This is thesame for FIGS. 8 and 9.

A user accesses the web server 20 through the browser 12 of the mobileterminal 10. Here, the browser 12 may include and send information aboutthe management server 110 in an HTTP request header at step S701. Thecontent included in the header may be similar to browser informationsent to a user agent. For example, the content may be represented asfollows. The following PIMS service URL includes port information whichcan be received by a gateway.

PIMS/1.0; 127.0.0.1:1234/pims/protocol PIMS version; PIMS service URL

When the user inputs user authentication information (e.g., a PersonalIdentification Number (PIN) or biometric information) through thebrowser 12, the management server 110 becomes available to the user atstep S702. Although the user authentication information may be input bythe user through the browser 12, it may also be input through some otherapplication software.

The user requests the web server 20 to set authentication informationthrough the browser 12 at step S711. In response to the request, the webserver 20 sends its website information and a parameter for the exchangeof a key to the management server 110 at step S712. The websiteinformation and the parameter may be sent to the PIMS service URL, sentat step S701, using the HTTP POST method, or may be sent using a browserredirection technique. The website information may include a websiteidentification code which can be used to uniquely identify thecorresponding website within the management server 110.

The management server 110 requests the user to identify himself orherself through the browser 12 at step S713. For example, the managementserver 110 may generate an HTTP response message, including a requestfor user identification, using the HTTP request message received at stepS712, and send the generated HTTP response message to the user. Forexample, the HTTP response message may be a message, such as “Do youwant to set authentication information along with the websitewww.website.com?” The HTTP response message is used to check whether atask intended by the user is identical with a task which will beperformed by the management server.

After checking the content of the HTTP response message received at stepS713, the user sends a signal indicative of the completion of the checkto the management server 110 through the browser 12 at step S714.

The mobile terminal 10, including the web server 20 and the managementserver 110, sets a secret key at step S715. A protocol used at the stepS715 of setting the secret key may be implemented using one of a varietyof encryption schemes including an encryption scheme including thewebsite identification code of step S712 and a code used to uniquelyidentify the user or the management server 110.

The user requests the web server 20 to issue a service domaincertificate through the browser 12 at step S716.

In response thereto, the web server 20 issues the service domaincertificate, including a user identity and sends the issued certificateto the management server 110 at step S717. For example, the web server20 may safely send the service domain certificate to the managementserver 110 using the secret key generated at step S715.

The management server 110 stores the website information received atstep S712, the secret key generated at step S715, and the service domaincertificate generated at 5716 and sends corresponding results to thebrowser 12 at step S718. In another embodiment of the present invention,each of the website information, the secret key generated at step S715and the service domain certificate may be stored separately as soon asit is received from the website server 20.

The user checks the setting of the authentication information and theresults of the issuance of the service domain certificate by using thebrowser 12 at step S719.

Although in FIG. 7, the request for setting authentication informationand the request for issuing the service domain certificate are performedat respective steps S711 and S716, they may be performed in a singlestep.

FIG. 8 shows an embodiment of the method of managing an identityaccording to the present invention, and is a diagram showing a procedurein which the web server 20 and the management server 10 perform mutualauthentication using a user identity stored in the management server 10.

When a user requests a resource to which access by a website isprohibited through the browser 12, the browser 12 sends thecorresponding request signal to the web server 20 at step S801.

In response thereto, the web server 20 sends a website identificationcode and an authentication parameter to the management server 110 atstep S802. Here, in preparation for the case in which the managementserver 110 and the corresponding website have not yet set authenticationinformation, the web server 20 may send the website an identificationcode and the authentication parameter, including the login page of thecorresponding website or the URL of an authentication informationsetting page, to the management server 110. Furthermore, in the case inwhich mutual authentication has been normally completed, a URL to beaccessed may be included in the website identification code and theauthentication parameter.

The management server 110 searches for previously stored websiteinformation based on the website identification code and requests theuser to perform confirmation using the retrieved website information atstep S803. For example, the confirmation request signal may be an HTTPresponse message, such as “Do you want to log in to the websitewww.website.com?”.

After checking the HTTP response message, the user may send a signalindicative of the completion of the confirmation to the managementserver 110 through the browser 12 at step S804.

At step S805, the web server 20 and the management server 110 performmutual authentication using the website identification code generated atstep S712 and the secret key set at S715. The website provides therequested resource to the user at step S806.

FIG. 9 shows an embodiment of the method of managing an identityaccording to the present invention, and is a diagram showing a procedureof transferring a user identity, stored in the management server 110, tothe web server 20 in response to the request from the web server 20.

When providing a user with a specific service through a website, the webserver 20 may require the user's specific identity. For example, when auser requests the delivery of a product, the web server 20 may requirethe user's home address and telephone number. In this case, the webserver 20 sends an identity request signal, including the identificationcode of the identity required for the provision of the service, to themanagement server 110 at step S901. The identity identification code maybe an identification code for identifying a service domain certificate.

The management server 110 searches for an identity corresponding to theidentity identification code, generates an HTTP response message relatedto the retrieved identity, and sends the HTTP response message to thebrowser 12 at step S902. For example, the HTTP response message may be amessage, such as “A website www.website.com requests your home addressand telephone number. Do you want to provide them?” For example, anumber of identities (e.g., a home telephone number, a company telephonenumber, and a mobile phone number) having the same identity attribute(e.g., a telephone number) may have been registered with the managementserver 110. In this case, the procedure of FIG. 9 may further includethe step of a user selecting a specific identity (e.g., a companytelephone number).

The user checks the HTTP response message and sends a signal indicativeof the approval of sending the identity to the management server 110through the browser 12 at step S903.

The management server 110 generates an envelope by processing anidentity corresponding to the identity request signal at step S904, andsends the generated envelope to the web server 20 at step S905. Forexample, the envelope (i.e., the processed identity) may be included andsent in an identity response signal. Here, the identity response signalmay be protected using the secret key which is shared by the managementserver 110 and the web server 20.

The web server 20 may check the identity included in the envelope atstep S906.

FIG. 10 shows an embodiment of the method of managing an identityaccording to the present invention, and is a diagram showing a procedureof transferring a user identity, stored in the management server 110, tothe service terminal 30 in response to a request from the serviceterminal 30.

A user requests a local area service mode from the management server 110through the browser 12 at step S1001. The local area service mode in thepresent invention is used to activate a smart card or the NFC module 14mounted on the mobile terminal 10, thereby searching for an externalservice terminal 30 and enabling the exchange of messages between theservice terminal 30 and the management server 110.

The smart card or the NFC module 14 of the mobile terminal 10 on whichthe smart card is mounted searches for the service terminal 30 andperforms an NFC protocol at step S1002.

The service terminal 30 sends an identity request signal, including anidentity identification code corresponding to an identity required forthe provision of a service, to the mobile terminal 10 at step S1003. Theidentity request signal may be identical with the identity requestsignal described in conjunction with step S901 of FIG. 9, or may furtherinclude information about the service terminal 30 in the identityrequest signal described in conjunction with step S901.

The management server 110 of the mobile terminal 10 searches for anidentity corresponding to the identity identification code, generates anHTTP response message related to the retrieved identity, and sends theHTTP response message to the browser 12 at step S1004. For example, theHTTP response message may be a message, such as “00 member storerequests your home address. Do you want to provide it?”

The user checks the HTTP response message and sends a signal indicativeof the approval of the sending of an identity after checking the HTTPresponse message to the mobile terminal 10 through the browser 12 atstep S1005.

In response thereto, the management server 110 of the mobile terminal 10generates an envelope by processing an identity corresponding to theidentity request signal requested by the service terminal 30 at stepS1006 and sends the generated envelope to the service terminal 30 atstep S1007. For example, the envelope (i.e., the processed identity) maybe included and send in an identity response signal. In anotherembodiment of the present invention, the identity processed into theenvelope may have the form of a service domain certificate.

The service terminal 30 may check the received envelope and provide aservice to the user using the identity included in the envelope at stepS1008. When the identity included in the envelope is a service domaincertificate, the procedure of FIG. 10 may further include the step ofchecking the service domain certificate.

In still another embodiment of the present invention, steps S1004 andS1005 may be omitted in response to a request from a user. For example,if, at step S1001, the user previously defines a specific identity sothat the identity is provided and requests local area service mode, themanagement server 110 of the mobile terminal 10 may provide the userwith the specific identity previously defined by the user without aprocedure of checking the user in response to the identity requestsignal.

FIG. 11 shows an embodiment of the method of managing an identityaccording to the present invention, and is a diagram showing a procedurein which the web server 20 is further included in the procedure of FIG.10 and the identity is sent to the service terminal 30.

When a user requests local area service mode from the management server110 through the browser 12 at step S1101, a smart card or the NFC module14 of the mobile terminal 10 on which a smart card is mounted searchesfor a service terminal and performs an NFC protocol at step S1102.

The service terminal 30 includes an identity identification code,including an identity required for the provision of a service, in anidentity request signal and sends the identity request signal to themobile terminal 10 at step S1103. The identity request signal mayfurther include information about the service terminal. The identityrequest signal may further include information (e.g., a servicename-payment, amount of money-1,000 Korean won) about the serviceprovided by the service terminal 30 to the corresponding user.

The management server 110 of the mobile terminal 10 searches for anidentity corresponding to the identity identification code, generates anHTTP response message related to the retrieved identity, and sends theHTTP response message to the browser 12 at step S1104. For example, theHTTP response message may be a message, such as “A website cafe #1member store requests card information. Do you want to provide it?(Service name)-payment, (amount of money)-1,000 Korean won”.

The user checks the HTTP response message and then sends a signalindicative of the approval of the sending of the identity to the mobileterminal 10 through the browser 12 at step S1105.

The management server 110 of the mobile terminal 10 generates anenvelope by processing the identity requested by the service terminal 30at step S1106. The envelope may include an identity, information about aservice terminal, and information about a service. For example, themanagement server 110 may declare that the identity requested by theservice terminal 30 needs to be checked by the web server 20, so thatthe recipient of the envelope is set to the web server 20. Theinformation about the service terminal 30 may include a signature valuewhich is generated through a secret key which is shared by the webserver 20 and the management server 110.

The management server 110 sends the envelope, obtained by processing theidentity, to the service terminal 30 at step S1107.

The service terminal 30 having received the envelope checks therecipient included in the envelope, and sends the envelope to the webserver 20 (i.e., the corresponding recipient) at step S1108.

The web server 20 receives the envelope from the service terminal 30 andchecks the information of the service terminal 30 included in theenvelope, or the information of the service and the identity requestedby the service terminal 30, using the secret key at step S1109.

The web server 20 sends the checked identity to the service terminal 30at step S1110. Here, the sent identity may not be the user's actualidentity, but may be information for approving the service. For example,a method of sending information about the payment card of a user,information about the service terminal of a member store, andinformation about transactions through the envelope, checking a website,and sending an approval number to the service terminal 30 may be used.

FIG. 12 illustrates the concept of a service domain certificate used inthe present invention. The service domain certificate may include a useridentity generated by the web server 20 and provided to the mobileterminal 10. The service domain certificate, as shown in FIG. 12, mayinclude a service domain identification code C1, a certificateidentification code C2, a user identification code C3, a user identityC4-1 or the storage location of the user identity C4-2, a certificateissuer C5, and an issuer's signature C6.

The service domain identification code C1 is a code used to identify aservice domain. In the present invention, a service domain refers to avirtual domain including service providers, each having a service or anapparatus for identifying and using an identity included in acertificate. For example, the service providers may be e-commercewebsites, offline credit card member stores, hospitals, and drugstores.

The certificate identification code C2 is a code used to identify acertificate type within the service domain. The user identification codeC3 is a code used to identify the user in the same service domain andthe same certificate type. The user identity C4-1 is an identityprovided by an issuer (i.e., a web server) which has issued a servicedomain certificate. The place C4-2 where the user identity is stored isa place where the user identity is stored and is used to search for anidentity. The certificate issuer C5 includes information about a webserver which has issued the service domain certificate. The issuer'ssignature C6 corresponds to signature information of an issuer for theservice domain certificate.

In an embodiment of the present invention, the credit card informationis meaningfully used to make a payment for a service or a product ine-commerce or at an offline credit card member store. Accordingly,credit card information (i.e., user identity information) may beincluded in the certificate. In this case, a service domain may be ane-commerce site or an offline credit card member store.

In still another embodiment, if medical information about a user isincluded in the service domain certificate as a user identity, ahospital, a drugstore and an Internet health site in which thecorresponding medical information will be used may become a servicedomain.

The meaning of each identity and a code used to identify the identitywithin the service domain may be implemented using a document, memory ora file having a specific format, called a service domain dictionary.

FIG. 13 illustrates the concept of an envelope used in the presentinvention. As shown in FIG. 13, the envelope includes addressinformation E1, an identity E2, service terminal information E3, andservice information E4.

The address information E1 is information about an address to which anenvelope must be transferred. The address may be a service terminal or aweb server, as described above.

The identity E2 may be a service domain certificate registered with themanagement server, or may be a user's personal information, not acertificate. The user's personal information may include an address anda telephone number.

As described above in conjunction with FIG. 11, the service terminalinformation E3 may be included in the envelope in the case in which theenvelope is sent to the web server 20 via the service terminal 30. Theinformation about the service terminal 30 may not be modified throughthe secret key which is shared by the web server 20 and the managementserver 110 of the mobile terminal 10.

As described above in conjunction with FIG. 11, the service informationE4 may be included in the envelope in the case in which the envelope issent to the web server 20 via the service terminal 30. The informationabout a service E4 may be included in the envelope when the web server20 which checks the envelope requires it. For example, assuming that anidentity is a user's credit card information and the information about aservice is service purchase information, the web server 20 can determinewhether to approve a payment based on the information about a service.

The information about a service may be prevented from being modified byusing the secret key which is shared by the web server 20 and theservice terminal 30.

As described above, according to the present invention, there is anadvantage in that user identities (e.g., credit card information)managed by service providers in various fields can be safely andconveniently stored in a user's smart cards using standard webtechnologies.

Furthermore, the present invention has an advantage in that a user caneasily manage identities, configured to have various attributes andregistered with his smart card, in an integrated fashion through thebrowser of a mobile terminal.

Furthermore, the present invention has an advantage in that an identitycan be provided not only through a web server connected to the web butcan also be provided over a short-range wireless network.

Furthermore, the present invention has advantages in that a useridentity can be provided to a service terminal after a correspondinguser directly confirms the user identity and in that privacy can beprotected because an identity is not exposed to a third party.

Moreover, a user's mobile terminal and the web server can safely andconveniently perform mutual authentication using preset authenticationinformation.

Although the preferred embodiments of the present invention have beendisclosed for illustrative purposes, those skilled in the art willappreciate that various modifications, additions and substitutions arepossible, without departing from the scope and spirit of the inventionas disclosed in the accompanying claims.

1. A system for managing identity, comprising: a mobile terminal havinga smart card on which a management server for managing user identity ismounted; a web server for generating the user identity and providing thegenerated identity to the management server over a wired/wirelessnetwork; and a service terminal for receiving a required identity fromthe mobile terminal using Near Field Communication (NFC).
 2. The systemas set forth in claim 1, wherein the web server comprises: a mobileterminal interfacing unit for communicating with the mobile terminalover the wired/wireless network; and a certificate issue unit forissuing a service domain certificate, including the user identity andweb server guarantee information for the identity.
 3. The system as setforth in claim 1, further comprising a proxy server for providing aremote service for enabling the user to use the user identity, includedin the management server, through a second terminal which is not themobile terminal.
 4. The system as set forth in claim 3, wherein theproxy server comprises: an access management unit for analyzing anaccess request signal received from the second terminal, and identifyinga mobile terminal which the second terminal attempts to access; and agateway interfacing unit for sending an identity request signal,included in the access request signal, to a gateway of the identifiedmobile terminal, receiving a response message from the gateway, andsending the response message to the second terminal.
 5. A server formanaging identity, comprising: a website interfacing unit for receivinguser identities from a web server over a wired/wireless network; anidentity management unit for classifying the received identities on anattribute basis; a service terminal interfacing unit for receiving anidentity request signal from a service terminal; and a responsegeneration unit for analyzing the identity request signal, andgenerating a response message in response to the identity requestsignal.
 6. The server as set forth in claim 5, further comprising awebsite authentication unit which comprises at least one of a routinefor performing key setting along with the web server and a routine forperforming mutual authentication along with the web server.
 7. Theserver as set forth in claim 5, further comprising a user interface unitfor receiving an identity from the user, wherein the identity managementunit manages the identities provided by the web server and the identityinput by the user together.
 8. A method in which a mobile terminal of auser, including a smart card, manages user identity using a server of aservice provider which operates a website, the method comprising:requesting setting of authentication information from the server of theservice provider and receiving information about the website from theserver of the service provider; setting a secret key along with theserver of the service provider; requesting the server of the serviceprovider to issue a service domain certificate; receiving the servicedomain certificate, including the user identity issued using the secretkey, from the server of the service provider; and storing theinformation of the website and the service domain certificate in thesmart card.
 9. The method as set forth in claim 8, wherein the setting asecret key along with the server of the service provider is performedusing an encryption scheme, including an identification code of thewebsite used to identify the website and an identification code of amanagement server mounted on the smart card.
 10. The method as set forthin claim 8, further comprising: receiving an identification code of thewebsite and an authentication parameter from the server of the serviceprovider; and performing mutual authentication along with the server ofthe service provider using the identification code of the website andthe secret key based on the authentication parameter.
 11. The method asset forth in claim 8, further comprising: receiving an identity requestsignal from the server of the service provider; and sending therequested identity to the server of the service provider.
 12. The methodas set forth in claim 11, wherein the sending the requested identity tothe server of the service provider comprises: receiving the identityrequest signal, including an identity identification code, from theserver of the service provider; searching the identities stored in thesmart cards and processing an identity corresponding to the identityidentification code; and sending the processed identity to the server ofthe service provider.
 13. The method as set forth in claim 12, whereinthe sending the processed identity to the server of the service providercomprises encrypting and sending the processed identity using the secretkey.
 14. The method as set forth in claim 12, further comprising thestep of, when the identity corresponding to the identity identificationcode includes a plurality of identifies from among the identities storedin the smart card, receiving a selection signal related to one of theplurality of identifies to be sent to the server of the serviceprovider.
 15. The method as set forth in claim 8, further comprisingreceiving a user identity input by the user and storing the inputidentity in the smart card.
 16. A method in which a service terminalreceives a user identity from a mobile terminal of the user on which amanagement server for managing the user identity is mounted, the methodcomprising: sending an identity request signal, including an identityidentification code, to the mobile terminal through NFC; and receivingan identity, processed by the mobile terminal based on the identityidentification code, from the mobile terminal.
 17. The method as setforth in claim 16, wherein the identity request signal further includesservice information provided by the service terminal to the user. 18.The method as set forth in claim 16, further comprising confirming anidentity corresponding to the identity identification code based on theprocessed identity and providing the user with a service using theconfirmed identity.
 19. The method as set forth in claim 16, furthercomprising: sending the processed identity to a web server associatedwith the service terminal; and receiving an identity, corresponding tothe identity identification code, from the web server, the identitycorresponding to the identity identification code having been confirmedby the web server based on the processed identity.
 20. The method as setforth in claim 16, further comprising: sending the processed identity toa web server associated with the service terminal; and receiving aservice approval signal, generated based on the processed identity, fromthe web server, the service approval signal having been generated by theweb server which confirms an identity corresponding to the identityrequest signal based on the processed identity.